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Abstract 



One-time memories (OTM's) are a simple type of tamper- resistant cryptographic hardware, which 
i-G . can be used to implement many forms of secure computation, such as one-time programs. Here we 

investigate the possibility of building OTM's using isolated qubits — qubits that can only be accessed 
using local operations and classical communication (LOCC). Isolated qubits can be implemented 
— j ' using current technologies, such as nitrogen vacancy centers in diamond. 

We construct OTM's that are information-theoretically secure against one-pass LOCC adversaries 
using 2-outcome measurements. (Also, these OTM's can be prepared and accessed by honest parties 
using only LOCC operations.) This result is somewhat surprising, as OTM's cannot exist in a fully- 
quantum world or in a fully-classical world; yet they can be built from the combination of a quantum 
^- , resource (single-qubit measurements) with a classical restriction (on communication between qubits). 

Our construction resembles Wiesner's original idea of quantum conjugate coding, implemented 
using random error-correcting codes; our proof of security uses entropy chaining to bound the supre- 
mum of a suitable empirical process. In addition, we conjecture that our random codes can be 
replaced by some class of cfficicntly-decodable codes, to get computationally-efficient OTM's that 
are secure against computationally-bounded LOCC adversaries. 



*yv In addition, we construct data-hiding states, which allow an LOCC sender to encode an (n— 0(1))- 

bit messsage into n qubits, such that at most half of the message can be extracted by a one-pass 
LOCC receiver, but the whole message can be extracted by a general quantum receiver. 

•i-H ' 

X ■ 

?h '. 1 Introduction 

a 

1.1 One-time memories from a physical assumption 

One-time memories (OTM's) are a simple type of tamper- resistant cryptographic hardware [T]. An 
OTM device behaves as follows: one party (Alice) can write two messages s,t £ {0,1} into the 
device, and then give the device to another party (Bob); after receiving the device, Bob can then 
choose to read either s or t, but not both. An OTM is far simpler than a general-purpose proces- 
sor, but it can be used to implement sophisticated forms of secure computation, such as one-time 
programaj [T| (and, more recently, quantum one-time programs [2]). The remarkable fact about 



1 A one-time program is a package of hardware and software that is prepared by Alice and given to Bob. It can compute 
a function / (chosen by Alice when she prepares the package) on a single input x provided by Bob (when he runs the 
package). During its execution, the one-time program behaves like a black box, i.e., Bob learns nothing about its internal 
functioning. After running once, the one-time program "self-destructs," i.e., it stops functioning, and no more information 
can be extracted from it. 



these constructions is that the OTM is the only piece of hardware that has to be tamper-resistant; 
everything else consists of cryptographic software running on untrusted general-purpose processors. 

Intuitively, it seems much easier to build an OTM, rather than a general-purpose tamper-proof 
processor. Indeed, there are many practical approaches to building such devices. However, from a 
theoretical perspective, it would be nice if one could build provably-secure OTM's based on some 
clear physical principle, in the same way that one can build provably-secure encryption and signa- 
ture schemes based on assumptions that certain problems are computationally intractable. But this 
line of investigation runs into a number of obstacles. OTM's cannot exist in a fully classical world, 
because information can always be copied without destroying it. One might hope to build OTM's in 
a quantum world, where the no-cloning principle limits an adversary's ability to copy an unknown 
quantum state. However, this is also impossible, because an OTM can be used to perform oblivious 
transfer with information-theoretic security, and there are strong no-go theorems for quantum obliv- 
ious transfer, quantum bit commitment, and many other kinds of two-party secure computation in 
a quantum world [3J SJ [5J |S] . 

One way around these no-go theorems is to try to construct protocols that are secure against a 
restricted class of quantum adversaries, namely those that cannot perform entangled measurements 
on large numbers of qubits. Indeed, the adversaries in the no-go theorems (that break quantum bit 
commitment, oblivious transfer, etc.) seem to require the full power of a quantum computer, i.e., the 
ability to perform arbitrary quantum circuits with entangling gates; but the same protocols might 
be secure against weaker quantum adversaries. Salvail [7] has proved one such result, showing bit 
commitment that is secure against adversaries who can only perform fc-local measurements, where 
k = O(l). Compared to this paper, Salvail proves security against a significantly stronger class of 
adversaries (since fc-local adversaries can do entangled measurements on subsets of k qubits, while 
we consider isolated single qubits). However, Salvail's protocol is interactive, and does not imply an 
OTM, which is required to be non-interactive; and the proof techniques needed for a non-interactive 
OTM are quite different. 

More recently, a number of authors have shown protocols for oblivious transfer, bit commitment 
and key distribution, that are secure against adversaries who have bounded or noisy quantum storage 
[SI O Uni E] • Here, one assumes that the adversary cannot store a large number of qubits for a long 
period of time, although the adversary may be able to perform arbitrary entangled measurements 
on the qubits while they are being transmitted. For comparison, in this paper we consider a comple- 
mentary scenario, where the qubits are isolated from the environment and from each other, so they 
can be stored forever, but the operations that can be performed on the qubits are restricted, such 
that the qubits can never become entangled with each other or with the adversary's measurement 
device. 

1.2 Isolated qubits 

In this paper we consider a model with isolated qubits, where all parties are only allowed to perform 
local quantum operations (on each qubit) and classical communication (between qubits). This class 
of operations is known as n-partite LOCC, where n is the number of qubits. We will construct an 
OTM that consists of n isolated qubits. When Alice prepares the device, she can perform n-partite 
LOCC operations on the qubits, and likewise, when Bob reads the device, he can perform n-partite 
LOCC operations on the qubits. However, there is no communication or interaction between Alice 
and Bob, apart from the step where Alice gives the device (containing the n qubits) to Bob. 

Note that this is a different scenario from most previous work on the power of LOCC operations 
[l2l [13] , where Alice and Bob share some bipartite quantum system, and a "local operation" refers 
to an arbitrary operation on either Alice's subsystem or Bob's subsystem, and "classical communi- 
cation" refers to communication between Alice and Bob. 

Our model of isolated qubits is motivated by recent experimental work on nitrogen vacancy 
centers in diamond [T7] . Nitrogen vacancy (NV) centers can be used to implement single qubits that 
have relatively long coherence times (on the order of seconds or minutes), at room temperature in 
a solid-state material. Individual NV centers can be read out and manipulated optically, but it is 



difficult to perform entangling operations on pairs of NV centers, due to the large distances between 
them. So NV centers are a plausible candidate to implement our model of isolated qubits. 

However, it is important to note that there is ongoing experimental work to develop better 
entangling operations for NV centers, in order to build quantum computers. This work may make 
our model of isolated qubits less realistic, though we would argue that creating entanglement between 
NV centers will always be considerably harder than preventing it. 

We remark that there is some general intuition that relates to our "isolated qubits" model, as 
well as the bounded / noisy storage model [5J [TT]. When building a quantum computer, or more 
precisely a quantum memory, there are two conflicting requirements: first, to protect the qubits from 
unwanted interactions with the environment (i.e., noise and decoherence); and second, to provide 
strong interactions between the qubits and some kind of external probe (in order to read and write 
from the memory). The bounded / noisy storage model assumes that there is no way to build a 
quantum memory that meets both of these requirements, and can "read in" quantum information 
encoded in photons (for example). Our "isolated qubits" model assumes that one can build qubits 
with a particular trade-off between these two requirements, namely strong protection from noise and 
decoherence, and only classical (not entangling) gates and measurements. 

1.3 Data-hiding states 

Our first main result is a construction for data hiding states (see Section 2). These states are simpler 
to analyze than our one-time memories, and they demonstrate the basic point that a sender can use 
LOCC operations to "hide" information from a LOCC receiver. We consider a system of n isolated 
qubits, and we construct a set of 2™ states, where h := n — 0(1), by sampling independently at 
random from the set {|0), |1), |+), |-)}® n . (Here, |+) := (|0) + |l))/%/2 and |-> := (|0) - |1))/V§ are 
the Hadamard basis states.) These states are all tensor products of single-qubit pure states, hence 
they can be prepared using only LOCC operations. 

First, we show that these states can be distinguished almost perfectly using a general quantum 
measurement (the "pretty good measurement," see Section 2.1). Then we consider "one-pass" LOCC 
measurement strategies, i.e., measurement strategies that measure each qubit at most once. (For 
comparison, a general LOCC measurement strategy may perform many weak measurements on the 
same qubit. Note that bounding the power of general LOCC measurement strategies is a difficult open 
problem.) We show that a one-pass LOCC measurement strategy using 2-outcome measurements can 
extract at most ss n/2 bits of information about which state was prepared (see Sections 2.2 and 2.3). 
Note that there exists a trivial LOCC measurement strategy that can extract n/2 bits of information, 
by measuring each qubit in the {|0), |1)} basis, for instance; hence the above bound is tight. In 
addition, we show that a one-pass LOCC measurement strategy using g-outcome measurements (for 
any constant q) can extract at most sw (0.7067)n bits of information (see Section 2.4). 

The main point of this data-hiding result is to pave the way for our construction of one-time 
memories, which will use a similar idea of sampling random states from the set {|0), |1), |+), |— )} ™, 
but will restrict access to the data in a more subtle way. 

In addition, our data-hiding states may also be of independent interest, as they differ from previ- 
ous work in some significant ways. On one hand, most previous constructions of data-hiding states 
P31 HH [HI [16] are secure against a much stronger class of LOCC adversaries (with infinite LOCC 
rather than one-pass LOCC). On the other hand, almost all of those constructions use entangled 
states, which cannot be realized in our isolated qubits model. (An exception is [14], which uses 
separable Werner states. This approach too is quite different from ours.) 

We remark that another line of work has focused on "nonlocality without entanglement" |12) . 
where one considers a bipartite system, and one constructs sets of separable states that are orthogonal 
but cannot be perfectly distinguished using LOCC; see [18] for a recent survey. Finally, there are a 
number of elegant results about unambiguous state discrimination using multipartite LOCC, which 
are applicable when the number of states to be distinguished is relatively small [HI [201 HI] ■ 

Our proof techniques are probabilistic, taking advantage of the random construction of our data- 
hiding states. We develop two different approaches. The first approach is "entropy chaining," aka 



Dudley's inequality for empirical processes. This is similar to a union bound over the set of all 
one-pass adaptive LOCC measurement strategies, but it takes advantage of the positive correlations 
between the performance of strategies that are similar. This approach gives a tight bound for 
adversaries that use 2-outcome measurements, but it performs poorly when applied to adversaries 
that use q-outcome measurements for large q. The second approach involves calculating the "collision 
entropy" of the unknown message, conditioned on every possible sequence of measurement outcomes. 
This approach does not give a tight bound, but it works fairly well for all values of q. 

1.4 One-time memories 

We now describe our construction for one-time memories (see Section 3). We consider a system 
of n isolated qubits, and we pick two random error-correcting codes, C : {0, 1} — > {0, 1}™ and 
D : {0, 1} — > {0, 1} . (That is, each codeword is chosen independently and uniformly at random 
in {0,1}".) Given two messages s and t in {0,1} , we prepare each qubit i (for i — 1,2, ...,n) 
as follows. Let C(s)i and D(t)i denote the i'th bit in the strings C{s) and D(t), respectively. We 
prepare the i'th qubit in a pure state that has the following properties: first, if the qubit is measured 
in the {|0), |1)} basis, the outcome is more likely to be |0) if C(s)i = 0, and |1) if C(s)i — 1; and 
second, if the qubit is measured in the {|+), |— )} basis, the outcome is more likely to be |+) if 
D{t)i = 0, and |— ) if D(t)i — 1. This is similar to Wiesner's idea of quantum conjugate coding |2"2"] . 
We refer to these states as one-time memory (OTM) states. 

It is straightforward to check that these OTM states can be prepared using only LOCC operations, 
and that an honest party can recover either sort using only LOCC operations (see Section 3.1). 
We prove that no one-pass LOCC adversary using 2-outcome measurements can learn both s and 
t simultaneously; in particular, no such adversary can extract more than « (1.9189)fc < 2k bits 
of information about (s,t) (see Section 3.2). This bound is surely not optimal, but at least it 
demonstrates that our OTM construction "leaks" at most a constant fraction (bounded below 1) of 
the bits of s and t. 

We remark that our OTM states do in fact leak some information. For instance, there is a one- 
pass LOCC strategy that can extract n/2 « (1.2528)fc bits of information about s and t. g Moreover, 
an adversary can always obtain partial information about both s and t. We conjecture that such 
"leaky" OTM's are still sufficient for applications such as one-time programs. For instance, in the 
case of one-time programs, the messages s and t are encryption keys; and there exist encryption 
schemes that remain secure even after leakage of a constant fraction of the bits of the key [23] , 
However, we leave this question for future work. 

The proof that these OTM states are secure uses similar techniques to our first result on data- 
hiding states, but there are some additional challenges, as the OTM states are correlated, rather than 
being chosen independently. To address this issue, our proof uses large-deviation bounds for locally 
dependent random variables, and applies both of our previous techniques (bounding the "collision 
entropy," and "entropy chaining" ) in sequence. 

1.5 Outlook 

We think it is an interesting challenge to develop our OTM construction into a useful primitive 
for secure computation. In this paper we have taken a first step, by constructing OTM's based 
on isolated qubits, and analyzing their security in a simple information-theoretic framework (e.g., 
using random codes in the OTM's, and describing the adversary's knowledge in terms of mutual 
information). The next step is to make our OTM's efficient, and prove a stronger security guarantee 
that allows composition of OTM's to implement more sophisticated functions. 

First, we conjecture that the random codes C and D can be replaced by some class of efficiently- 
decodable codes, to construct computationally-efficient one-time memories that are secure against 



2 Let \o.c(s)iD(t)i) be the state used to encode C(s)i and D(t)i into qubit i (see Section 3 for the precise definition). It 
turns out that |aoo) and |an) are orthogonal, and likewise, |aoi) and |aio) are orthogonal. So, a one-pass LOCC strategy 
that measures each qubit in the basis {|aoo), |«n)} can extract n/2 w (1.2528)fc bits of information. 



computationally-bounded LOCC adversaries. For comparison, note that the present construction, 
while not computationally efficient, also makes no assumptions about the adversary's computational 
power, i.e., it is secure against one-pass LOCC adversaries that have unbounded computational 
power. 

Second, we conjecture that our OTM's satisfy a stronger (composable) security guarantee, using 
the (smoothed) min-entropy to quantify the adversary's uncertainty about the messages s and t. 
Our present proof techniques have made some progress in this direction, e.g., by lower-bounding the 
collision entropy of s and t conditioned on the adversary's past measurement history. 

Finally, it is an open problem to better understand the power of general LOCC strategies (rather 
than the one-pass LOCC strategies considered here). 

1.6 Notation 

For any integer n > 1, we define [n] :— {1,2, ... ,n}. For any vector v G C™, we let ||t>|| 2 = 

(%2i \vt\ ) 1 ^ 2 be the £2 norm. 

For any matrix M € C mxn , with singular values X\(M) > \%(M) > ■ ■ ■ , we define the operator 
norm ||M|| := Ai(M) and the Frobenius norm ||M|| F := (£V A^M) 2 ) 1 / 2 . The notation M y 
means M is positive semidefinite. 

An e-net E (for a set S, with respect to some metric d) is a subset ECS such that, for all x € S, 
there exists some x' € E, such that d(x, x 1 ) < e. The covering number N(S,d,e) is the minimum 
cardinality of any such e-net E. 

The L\ or total variation distance between two random variables X and X' is denoted by 
A(X,X') = ^ x \Pv[X = x}-Pv[X' = x}\. 

The Shannon entropy of a random variable X is denoted by H(X), and the mutual information 
between random variables X and Y is denoted by I(X; Y). (Note that I without parentheses denotes 
the identity operator. It will be clear from the context which one is meant.) The Rcnyi collision 
entropy of X is denoted H2(X). 

Logarithms are denoted as follows: ln(-) is the natural logarithm, lg(-) is the base-2 logarithm, 
and log(-) is the logarithm when the base does not matter (because the log appears inside a big-0 
expression) . 

The Hamming distance between two binary strings s,t G {0, 1}™ is denoted du{s,t). 

2 Data-hiding states 

Consider a system of n qubits. We will construct a set B of 2™ quantum states, with n > n — 0(1), 
that has the following properties: 

1. The states are pure and unentangled (i.e., they are tensor products of pure single-qubit states). 

2. There exists an entangled quantum measurement that distinguishes these states almost per- 
fectly. In particular, given a state chosen uniformly at random from B, this measurement 
recovers nearly h bits of information about the identity of the state. 

3. No n-party LOCC measurement strategy can distinguish these states very well. In particular, 
given a state chosen uniformly at random from B, no n-party LOCC measurement strategy 
using 2-outcome measurements can recover more than about n/2 bits of information about the 
identity of the state. Similar bounds hold for n-party LOCC measurement strategies using 
g-outcome measurements, for constant q. 

We construct the set of states B as follows. Set h = n — 0(1). Briefly, B is a set of 2™ states 
chosen independently and uniformly at random from the set {|0), |1), |+), |— )} ". To state this more 
explicitly, we define the following single-qubit states: 

Ko):=|0), Ki):=|l), Ki}:=|+> = ^(|0) + |1)), \a w ) := R = j- (|0) - |1». (1) 



Choose a random mapping E : {0, 1}™ —J- {00,01, 10, 11}™, i.e., for each u e {0, 1}™, assign E(u) a 
value chosen independently and uniformly at random in {00, 01, 10, 11}™. Also, for a — 1, 2, . . . , n, 
let E(u) a £ {00, 01, 10, 11} denote the a'th entry in the string E{u). Then let B be the set of states 
\E{u)) defined as follows: 

n 

\E(u)):=(g)\a E(u)a ), Vug {0, if. (2) 

a=l 

We will consider the following state discrimination problem, which we describe as a game between 
a referee and a distinguisher. First, the referee chooses a random string u in {0, 1} , and prepares 
the state \E(u)}. Given this state, the distinguisher performs some measurement, and outputs a 
string z (over some alphabet). The goal of the distinguisher is to maximize the mutual information 
I(Z; U), where U and Z are the random variables representing the referee's choice of the state and 
the distinguisher 's output. 

2.1 The pretty good measurement 

In this section we show that the states \E(u)) can be distinguished almost perfectly by a measurement 
that uses entanglement among the n qubits. In particular, we will consider the "pretty good measure- 
ment" [23], which is defined as follows. Let p be the mixed state p := 2~" J2 u eto i} n \E{ u ))(E{u)\. 
Then the "pretty good measurement" is given by the following set of POVM elements: 

Mp GM := {\M(z))(M(z)\, z e {0, if}, where \M(z)) := 2-^ 2 p-^ 2 \E(z)). (3) 

(If p is not full-rank, then p" 1 ! 2 is defined on the support of p.) 

We will show that, with high probability over the choice of the states \E(u)), the pretty good 
measurement works well. In particular, let Z be the output of the pretty good measurement; we will 
show that Z = U with probability close to 1, and the mutual information 1{Z\ U) is close to h. 

Lemma 2.1. Let C > 1. With probability > 1 — i (over the choice of E), we have 

Pr[Z = U] > 1 - 2VC ■ 2 {fl - n)/2 . (4) 

In particular, for any e > 0, suppose that h satisfies n < n — lg(C/e 2 ) — 2. Then equation O) implies 
that 

Pt[Z = U]>l-e. (5) 

Proof: First, we will give a lower-bound for Pr[Z = U] in terms of the eigenvalues of the Gram 
matrix of the states \E(u)}, using an argument due to Montanaro [25] . We write 

Pr[Z=C7] = 2-" ]T \{M(u)\E(u))\ 2 = 4-* £ \(E(u)\p-^ 2 \E(u))\ 2 . (6) 

ue{Q,i}" «e{o,i}" 

We define the matrix FeC 2 x2 , whose entries are P uv — (i?(u)|p _1/,2 |i?(z))). In addition, we define 
the Gram matrix GeC 2 x2 , whose entries are G uv — (E(u)\E(v)) . It is easy to see that both P 
and G are positive semidefinite, and that P 2 = 2 n G; hence we can write P — 2 n / 2 \/~G. So we have 

Pr[Z = U} = 4-"^ \P UU \ 2 = 2-"^((VG) MU ) 2 . (7) 

u u 

We can lower-bound this as follows, using the convexity of the square function, and letting X U (G) 
denote the eigenvalues of G: 

pt[z = u]> (2- s ]T(Vg) um ) 2 = (2-* tr Vg) 2 = (2-" ]T VMcf) 2 . (8) 



Next, define 

V ' \l if A U (G)>1 l ' 

and observe that \J\ U {G) > v u {G). So we have 

Pr[Z = U}> (2-» ^ ^(G)) * = (l - 2"" £(1 - ^(G))) ' 

U U 

> l-2-2-"^(l-i/„(G)) >l-2-2-"2" /2 ||l-?(G)|| 2 . 



(10) 



Also note that |l-i/ u (G)| < |1-A„(G)|, hence ||l-i?(G)|| 2 < ||1-A(G)|| 2 = \\G-I\\ F . So we 
have 

Pr[Z = U]>l-2- 2- fl/2 \\G - I\\ F . (11) 

Finally, we will use Markov's inequality to show that, with high probability (over the choice of 
E), \\G — I\\ F is not too large. We write: 



E B [||G-J|| F ]=E E [ Y, l G ™! 2 ]' ( 12 ) 



u^v£{0,l} r ' 



n n 

E E [\G UV \ 2 } = E E [[] \{a E{u)a \a E{v)a )f] = JJ( J(l + + \ + \)) = 2"" (Vu ^ w), (13) 

a— 1 a— 1 

E B [||G - J|| F ] = 2"(2" - 1)2-" < 4"2-™. (14) 

Hence, by Markov's inequality, for any C > 1, 



2 



Pr[||G-J|£>C4»2-»]<£. (15) 

That is, with probability > 1 - ^ (over the choice of E), we have \\G - I\\ F < \[C ■ 2"2~ ,l/2 . 
Combining this with equation ([TT]) completes the proof. □ 

Lemma 2.2. Suppose that Vx\Z = U] > 1 — s, and e is sufficiently small that 2y/e + 2~™ < 1/e. 
TTiera /(Z; 17) > (1 — h\fe)n — T](2^/e), where r)(x) :— — xlgx. 

Proof: See Appendix [Al 

2.2 Isolated qubits, and LOCC measurement strategies 

In this section we introduce the model of isolated qubits, and the class of LOCC measurement 
strategies. Essentially, in a system of n isolated qubits, the allowed operations are local (singlc- 
qubit) quantum operations, and classical communication between qubits. These are n-party LOCC 
operations, where each party holds a single qubit. In addition, we will often restrict our consideration 
to 1-pass LOCC measurement strategies; these are strategies that measure each qubit at most once. 
Any n-party LOCC measurement strategy can be described as a sequence of steps, which outputs 
a sequence of measurement outcomes, as follows: 

Begin at step 1. 

At step a, conditioned on the output of the previous steps 1, 2, . . . , a — 1: 

Choose one of the parties, specified by i € {1, 2, . . . , ri}. 

Choose some measurement M. [j 



3 Any measurement can be described by a set of measurement operators Ki , K2 , . . . which satisfy ^2^K.Kj = /. 
For a given state p, the measurement returns outcome j with probability tr(KjpK-), and the post-measurement state 
(conditioned on observing j) is KjpKU tr(KjpK'-). Note that the measurement can also be described by a set of POVM 

v .JCa- the nrnYm 



elements Mj — K-Kj\ the probability of observing outcome j can then be written as tr(A/jp). 



Perform the measurement M on the i'th party's qubits; this yields some outcome j. 
Output j, and proceed to step a + 1. 

LOCC measurement strategies can use an unbounded number of steps, and can measure each 
qubit many times, for instance by using a sequence of weak measurements (which may be chosen 
adaptivcly). Strategics using unbounded LOCC are difficult to analyze; in particular, it is a long- 
standing open problem to prove strong quantitative bounds on the amount of information returned 
by strategies using unbounded LOCC. 

Here we consider a restricted class of LOCC strategies: those that measure each qubit at most 
once. We will refer to these as 1-pass LOCC strategies. For these strategies, we can prove nearly-tight 
bounds on the information gained. 

Let us introduce some notation. A 1-pass LOCC strategy consists of n steps, labeled by a G [n] 
(where we define [n] :— {1, 2, . . . , n}). Suppose the strategy uses single-qubit measurements that have 
at most q outcomes. At step a, let z <a := [z\, z^,..., 2 a -i) € [<?] a_1 be the output of the previous 
steps; let Q a (z< a ) € [n] be the choice of which qubit to measure next; let M a (z <a ,() € C 2x2 (for all 
C € [q]) be the POVM elements corresponding to the choice of measurement in this step; and let z a 
be the actual measurement outcome that is obtained, so that M a (z< a ) is the corresponding POVM 
element. We can write the complete strategy as a POVM measurement on n qubits, whose elements 
are given by 

n 

M(z):=<g)M a (z< a ), Vze[q} n , (16) 

o=l 

where M a (z< a ) acts on the qubit indicated by Q a {z< a )- 

As before, we consider a state discrimination game, where the referee chooses one of the states 
\E(u)) at random, then prepares that state, and the adversary carries out some LOCC measurement 
strategy, and outputs some string z € [q] n . We want to bound the mutual information I(Z;U), 
where U and Z are the random variables describing the referee's choice and the adversary's output. 

We now prove some basic facts, which will be useful in proving security against LOCC strategies. 
Note that, in our problem, each party holds a single qubit. We can make use of this fact, to further 
simplify the set of possible LOCC strategies. 

Lemma 2.3. Let M. be any n-party LOCC strategy with output Z , where each party holds a single 
qubit, uses q-outcome measurements, and measures each qubit at most once. Then there exists Ai' , 
an n-party LOCC strategy with output Z' , that has the same properties as M, as well as the following 
additional properties: 

1. I(Z'; U) > I(Z; U) (when playing the state discrimination game shown above). 

2. In every measurement performed by M! ' , the POVM elements all have rank 1. 

Proof: We will construct the strategy M! as follows. Consider what the strategy M. does at step 
a, given some prior history z <a . Any POVM element M a {z <ai C ) ) that has rank > 1 can be written 
in the form al + /3\<p)(ip\, where a > 0, j3 > 0. We now construct a new POVM measurement, by 
replacing M a {z <ai C : ) with two operators al and P\(p)(ip\. This new measurement can simulate the 
original measurement, by identifying the measurement outcomes al and (3\(p)(ip\ with the original 
measurement outcome £. 

In this way, one can replace each measurement in M. with a measurement that consists of at 
most q POVM elements that have rank 1, and at most q POVM elements that are multiples of 
/. This strategy is equivalent to a probabilistic mixture of strategies, where each strategy uses 
measurements with at most q POVM elements, each of which has rank 1. By convexity of the 
mutual information I(Z; U) (as a function of the conditional distribution Pr[Z = z\U = u], keeping 
the marginal distribution Pi[U = u] fixed), there must be a pure strategy M! that achieves I(Z'; U) > 
I(Z; U), and uses measurements with at most q POVM elements, each of which has rank 1. □ 

Next we consider issues related to discretization. Let S be the set of all single-qubit measurements 



with q outcomes, where every POVM element has rank 1: 

q 
S = {(Mi, . . . ,M q ) | Mi G C 2x2 , M,^ 0, ^ M = I, rank(M) = 1}. (17) 

This is a continuous set. In our proofs, we would like to approximate it by a finite e-net L, with 
respect to some appropriate metric t. It will be convenient to define t as follows: 

t(M,M) := maxllMi - M||. (18) 

i£[q] 

(Here ||-|| denotes the operator norm.) The following two lemmas bound the size of the e-net L, first 
in the special case where q = 2 (for which we have a better bound), and then in the general case 
where q > 2. 

Lemma 2.4. Let q — 2. For any < e < 1, there exists an e-net L for S, with respect to the 
metric t, that has cardinality \L\ < C/e 2 (where C is some numerical constant). Equivalently, we 

have N(S,t,e)< C/e 2 . 

Proof: When q — 2, we can write the set S and the metric t in a simpler form: 

S = {(\<p)(<p\,I-\<p)(<p\) s.t. \<p) G C 2 , (<p\<p) = 1}, (19) 

t((\<p){<p\,I-\<p)(<p\),(\e)(8\,I-\8)(8\)) = Ul^l -Will- (20) 

Let B := {\<p)((f\ s.t. \tp) G C 2 , (<p|^j) = 1}, and note that 

N(S,t,e)<N(B,\\-\\,e). (21) 

It follows from standard arguments □ that N(B, ||-||,e) < 0(l/e 2 ). D 

Lemma 2.5. Let q > 2. For any < e < 1, i/iere exists an e-net L for S , with respect to the metric 
t, that has cardinality \L\ < (C/e) 3q (where C is some numerical constant). Equivalently, we have 
N(S,t 1 e)<(C/e) 3 ". 

Proof: Observe that S C (S' 1 ) q , where S[ := {M G C 2x2 I ^ M ^ J, rank(M) = 1}. This implies: 



iV(5,t,e)<iV(^,|M|, £ /2)«. (22) 

Next, letS := {\<p)((p\ s.t. \ip) G C 2 , (</j|^) = 1}. Note that we can write S[ = {AM | A G [0,1], Me B}. 
This implies: Lj 

JV(5i,|H|,e/2)<JV([0,l],H,e/4)JV(B,||.||,e/4). (23) 

It is easy to see that N([0, 1], |-|,e/4) < 0(1/ e), and it follows from standard arguments [3 that 

N(B,\\-\\,e/A)<0(l/e 2 ). D 

We now bound the effect of this discretization when applied to a complete LOCC strategy. 
Essentially, if we choose e < 0(1/ qn), then the discretization has a negligible effect on the amount 
of information returned by the strategy. 



4 Let B 2 = {\<p) GC 2 , (ip\ifi) = 1}. We claim that, for all e < 1, N(B,\\-\\,e) < N(B 2 , \\-\\ 2 , e/3). This follows be- 
cause, for any |<£)(y>|, \f>')(<4>'\ G B, such that \u) := |y') — |(p) satisfies ||it|| 2 < 1, we can write HlyMvl — Iv'Kv'lll = 
||-|w>(^| - \<p)(u\ - \u)(u\\\ < 2\\u\\ 2 + \\u\\ 2 2 < 3||w|| 2 . Finally, it is easy to see that N(B 2 , ||-|| 2 ,e/3) < 0(l/e 2 ). 

5 This follows because, given an (e/2)-net for S[, we can take its q-fold Cartesian product, "round" each point to the 
nearest point in S, and get an e-net for S. 

6 To see this, let Ei be any (e/4)-net for [0,1], and let E 2 be any (e/4)-net for B. We claim that F := 
{AM | A G Ei, M G E 2 } is an (e/2)-net for S[. To see this, let XM be any element of S[. Then there exists some 
AMgF, such that ||AM - AM|| < ||AM - AM|| + ||AM-AM|| < |A - A| + ||M - M|| < e/4 + e/4 = e/2. 

7 Let B 2 = {\(p) G C 2 , {^\ifi) = 1}. We claim that, for all e < 1, JV(B, |H[,e/4) < iV(&, ||-|[ 2 ,e/12). This follows 
because, for any \(p){ip\,\tp'){(p'\ G B, such that \u) :— \tp') — \<p) satisfies ||w|| 2 < 1, we can write Hlv 3 )^! — |(/'')( < < 9 'lll = 
||-[w)(V5| - |^}(«] - |u)(u||| < 2||u|| 2 + ||«|| 2 < 3||u|| 2 . Finally, it is easy to see that N(B 2 , ||-|| 2 , e/12) < 0(l/e 2 ). 



Lemma 2.6. Let M. be any n-party LOCC strategy with output Z , where each party holds a single 
qubit, uses q-outcome measurements, and measures each qubit at most once, and where all POVM 
elements have rank 1. Fix some < e < l/(qne), and let L be the £ -net for S defined above. Let M! 
be the n-party LOCC strategy, with output Z' , that is obtained by duplicating the strategy Ai, and 
replacing each measurement M £ S with the best approximating measurement M £ L. Then 

\I(Z'; U) - I{Z; U)\ < 2qn 2 e + 2n(qne), (24) 

where i](x) := — x\gx. 
Proof: See Appendix [Bl 

2.3 LOCC strategies with 2-outcome measurements 

In this section, we prove that the states \E(u)) (u € {0,1}") cannot be fully distinguished by any 
n-party LOCC strategy that uses 2-outcome measurements and measures each qubit at most once. 
In particular, we show that any such LOCC strategy cannot extract more than about n/2 bits of 
information about U. This claim holds with high probability over the randomized construction of 
the states \E(u)); more precisely, the claim holds with high probability over the choice of the map 
E : {0, 1}™ — > {00, 01, 10, 11}™, which we view as a random variable. 

The proof uses an entropy chaining argument, which is stated in Lemma IC. 11 This is essentially 
Dudley's inequality for bounding the supremum of an empirical process with Gaussian decaying 
correlations [29] . with some minor technical modifications (in particular, the result is stated as a tail 
bound for the supremum, rather than a bound on the expected supremum); the proof is given in 
Appendix [Cl 

The basic idea is as follows. One wants to estimate the probability (over the random choice of E) 
that the best LOCC strategy (chosen with knowledge of the states \E(u))) can extract more than n/2 
bits of information about U . One may try to do this by using the union bound over all possible LOCC 
strategies. However, this approach fails, because there are 2 e ( 2 ") possible LOCC strategies, while the 
construction of the states \E(u)) only involves roughly 2"-n bits of randomness. The entropy chaining 
argument improves on the union bound by exploiting correlations among the different strategies — 
the fact that two strategies that make similar measurements will produce similar results, and hence 
their failure probabilities do not add up in the worst-case fashion described by the union bound. 
The term "entropy chaining" refers to the fact that one must use a sequence of these arguments, to 
capture both strong correlations between very similar strategies and weak correlations between less- 
similar strategies. Each such argument involves covering the set of strategies at a different resolution, 
which can be interpreted as bounding the entropy of the set. 

Theorem 2.7. Let M be the set of all n-party LOCC strategies where each party holds a single qubit, 
uses 2-outcome measurements, and measures each qubit at most once. Let to > and u > 1. Then, 
with probability > 1 — exp(— 2tg) — 2 • 2~ u (over the choice of E), the following statement holds: 



WW e M, I(Z; U) < (0.54)n + 0(1) + t n2- fl/2 + u ■ 0(yJ\ogn), (25) 

where Z denotes the output of the strategy A\ . 

Proof: First, let L be an e-net for the set of single-qubit measurements with 2 outcomes where all 
POVM elements have rank 1, as described in Lemma \2 A\ and set e = l/(100n). Let M' be the set 
of all strategies that use measurements chosen from the set L. By Lemmas 12.31 and 12.61 any strategy 
in M can be approximated by one in M'. 

For any strategy Ai, let Z denote its output. Note that Z takes values in {0, 1}™, and we can 
split its output into two pieces, Z = (^i,...,n, ^n+i...., n ). So we can write 

I(Z; U) = H(Z) - H{Z\U) <n- H(Zi t ... th \U). (26) 

We want to show that H(Zi w .. t n\U) is not too small. 
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Let M" be the set of all strategies with n steps, whose behavior matches the first h steps of some 
strategy in M'. For any M. £ M", we now define 

Q M '>=R(Zi,...,*\ u )> ( 27 ) 

which is a random variable depending on E. Let hm : = ^e Qm', we will prove a lower bound for 
Hm below. We will then use entropy chaining (Lemma IC1[) to lower-bound the quantity 



M(Q M -VM)- (28) 

MEM" 



First, we evaluate hm'- 



HM=^ E [H(Z 1 _ A \U)]=2- il J2 E E B [-Pr(«|u)lgPr(«|tt)], (29) 

ue{o,i} n ze{o,i}" 

where for convenience we wrote Pr(z|w) in place of Pt[Zi n = z\U — u\. Consider any fixed u, z £ 
{0, 1}™. Recall that \E(u)) is chosen uniformly at random in A® n , where A := {|a;oo)> |ckoi)> |ckio)> l a n)}- 
So we have _ 

E B [-Pr(z|«)lgPr(z|«)] = 4~ s ^ ~(iP\M(z)\^)\g(^\M(z)\^}. (30) 

Furthermore, we know that (ip\M (z)\ip) = Ila=i (' l pQa(z<a)\^a(z<a)\tpQ a (z <a )) , hence we can write 

E E [ - Pr(z\u)lgPr(z\u)] 

n 

= E 4_ " E -MM(zMk(l>Q a l* <a )\M a (z<a)\ll>Q ait<a )) 

a=l \ip)eA®n (31) 

n 

= E 4 ~"[E -(i>*\Ma(z<a)\i>a)lg{lpa\M a (z< a )\lP a )] [][E (^Wfefc)l^ 
a=l 4>a€A b=£a ipb^A 

Recall that we are considering single-qubit measurements with 2 outcomes, where each outcome 
corresponds to a rank-1 POVM element. Hence each M b {z<h) is a rank-1 projector, i.e., it can be 
viewed as a density matrix of a quantum state. Hence we can write 

J2 (HM b (z< b )\tP b ) = 2trM b (z< 6 ) = 2. (32) 

ipbeA 

Also, suppose we let i?o be the result of measuring the state M a (z< a ) in the orthonormal basis 
{|aoo), |aai)}, and we let i?i be the result of measuring the same state in the orthonormal basis 
{|aoi), |«io)}- Then we can write 

E -{^a\M a {z< a )\ll> a ) lg (i>a\M a (z< a )\i> a ) = H(R ) + H^) > 1, (33) 

*Pa£A 

using an entropic uncertainty relation of Maassen and Uffink [27 1 128]. Substituting into the previous 
equations, we get 

E £ [-Pr(z|u)lgPr(z|u)] > 2^^ ■ h, (34) 

Hm > n/2. (35) 

We now show several technical facts which are needed in order to apply the entropy chaining 
argument (Lemma IC.1|) . First, fix some particular strategy M.q £ M" . We will show that Qm is 
tightly concentrated around its mean. Observe that Qm = 2~™ X^e-fo u™ H{Zi,.~,n\U = u) is a sum 
of 2 n independent random variables, since the strings E(u) for different u are chosen independently 
at random. Using Hoeffding's inequality, we get that 

/ 2t 2 \ / 2t 2 ■ 2™ \ 
PrfQ^o < »M ~ t] < exp(- 2 „ (n/2 „ )2 ) = exp( —) (Vt > 0), (36) 
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<exp(-2i 2 ), (W >0). (37) 



or equivalently 

Pt[Qm <Vm -^72 

Next, we show that when two strategies M. and M! are "similar," the random variables Qm an d 
Qm' ar e positively correlated. In particular, suppose that M and M! behave identically for the first 
£ steps. Let Zi,...,^ and Z[ - be the output of these two strategies; then (Zi_,,, : £, U) and (Z[ t , U) 
have the same distribution. So we can write 

Qm - Qm> = •fl r CZ^+i,...,fc|^i,...,*, U) - H(Z' e+1 ^^\Z[^j, U) 

= 2- fi J2 H(Z i+li ..., h \Z h ... >h U = u)-H(Z' i+1 ft |Z( f .^,J7 = «) ) (38) 

n£{0,l}" 

which again is a sum of 2 n independent random variables. By Hoeffding's inequality, 

/ 2i 2 \ ft 2 - 2™ \ 

PtIQa, - Q^ - HM + HM> > *] < ^{- 2H 2(n-£)/2^ J = CXI V2(^FJ ' ^ 

We can rewrite this bound in terms of a metric d that measures the "distance" between strategies. 
We define d as follows: |f| 

d(M,M') := V2-2-"/ 2 (n-£(X,X')), where (40) 

£(M,M') := max {^ | < £ < h, and M and M' behave identically on steps 1,2,..., £}. (41) 
We then have 

Pf [Qm - Qm> - VM + HM> >t]< cx P{- d ( M M ')2 ) ■ ( 42 ) 

Next, we bound the covering numbers of M" with respect to the metric d. We use a simple 
bound: 

7V(M",d,V2.2-"/ 2 £ )<{ Hl/|)2r " [i£ ~ h (43) 

I 1 if £ > h. 

(This bound simply counts the number of possible strategies with \n — e] steps. Each such strategy 
is described by a binary tree of depth \n — e] , and at every node there is a choice of which of the n 
qubits to measure next, and which of the measurements in the set L to perform.) We now bound the 
integral appearing in Lemma [C.lK "Dudley's entropy integral"): (here Cq is a numerical constant) 



S < Co / y/logN(M", d,e)de 
Jo 

= C / JlogN(M",d,V2-2- A / 2 e) ■ V2 ■ 2- h/2 de 
Jo 

<Coj V^- £+1 ^og(n\L\)-V2-2- n / 2 de (44) 

= Co / 2-"' 2 de ■ 2^log(n\L\) 
Jo 

= Co( T ^)(l-2-»/ 2 ). 2 VlogH^I) 

<C ( 1 ^)-2Vlog(n|L|). 



8 Note that d is indeed a metric: It is easy to see that d(M,M') > 0, with equality iff M = M' . Also, clearly 
d(M, M') — d(M',M). It remains to show that d(M,M") < d(M,M') + d(M',M"). We consider two cases. On one 
hand, if M' satisfies £{M,M') < £{M,M") or £{M',M") < £(M,M"), then the claim follows immediately. On the 
other hand, if M' satisfies £(M,M') > £(M,M") and £(M',M") > £(M,M"), then this is impossible, since M and 
M" do not agree at step £(M,Ai") + 1; hence this case cannot occur. 
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Recall that \L\ < 0(l/e 2 ) = 0(n 2 ). Hence we have: 



S < O(v^oi^). (45) 

Finally, using Lemma [C.ll we have that: for all to > and u > 1, with probability > 1 — 
cxp(-2ijf) - 2 ■ 2 - " 2 , the following holds: 

VM eM",Q M - f i M >-^- uS. (46) 

This implies that 

VXeM", Q A ,>|_^_ u -0( x /fog^). (47) 



Plugging into equation (f26|). we get that 

T\ S n - 

2 2™/ 2 



Finally, using Lemmas 12.31 and 12.61 we get that 



yMeW, I(Z;U)<n-^ + ^-+u-0(^S^)- (48) 



hn 



VXGM, /(Z;C/)<n-- + - + 0(l) + ^ +M -0(yfog^). (49) 

This proves the claim. □ 

2.4 LOCC strategies with g-outcome measurements 

In this section, we consider a more general class of n-party LOCC strategies, that use q-outcome 
measurements (for any constant q) and measure each qubit at most once. Again we show that the 
states \E(u)) (u G {0,1}™) cannot be perfectly distinguished by such an adversary. Quantitatively, 
we show that such an adversary can extract at most w (0.71)n bits of information about U; we 
do not believe this bound is optimal, but it docs nonetheless show that a constant fraction of the 
information in U is hidden from the adversary. 

We use a different proof technique from the previous section: here we show an explicit lower 
bound on the Renyi collision entropy of U conditioned on the output Z< m of the first m steps of 
the adversary. This "collision entropy" proof is a useful alternative to the "entropy chaining" proof 
of the previous section. The collision entropy proof works quite well when q is large, whereas the 
entropy chaining proof has some difficulty because the number of possible measurement strategies 
grows rapidly with q. However, the collision entropy proof does not give a tight bound for any value 
of q, while the entropy chaining approach does give a tight bound when q = 2. 

Theorem 2.8. Let M be the set of all n-party LOCC strategies where each party holds a single 
qubit, uses q-outcome measurements, and measures each qubit at most once. Then, with probability 
> 1 — e (") (over the choice of E), the following statement holds: 

WW e M, I(Z: U) < (0.7067)?i + 0(1) + 0(lg(gn)), (50) 

where Z denotes the output of the strategy M. . 

Proof: First, let L be an e-net for the set of single-qubit measurements with q outcomes where all 
POVM elements have rank 1, as described in Lemma [2~5l and set e = l/(200qn). Let M' be the set 
of all strategies that use measurements chosen from the set L. By Lemmas 12. 31 and 12.61 any strategy 
in M can be approximated by one in M'. 

We will analyze the first m steps of any strategy in M', where m — |_fi/ lg(8/3)J sw (0.7067)n. We 
will show the following bound: 
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Lemma 2.9. With probability > 1 — e fi ( n ) (over the choice of E), 

VM G M', V^,..., m G [g] m , H 2 {U\Z h ... >m = zi,..., m ) > n - mlg(f ) - lg(0(«nlg(9»))), (51) 

where Z\ t ,,.^ m denotes the output of the first m steps of the strategy M., H2 denotes the Renyi collision 
entropy, and lg(|) ~ 0.5850. 

Proof (of Lemma l2.9p : Note that the lemma is equivalent to the following statement: with high 
probability (over the choice of E) , 

for all subsets of qubits Ac [n], of size \A\ = m, 

for all possible measurement outcomes Ma that correspond to measuring the qubits in 

the set A using any measurements in the set L, 
H%{U\Ma) (where we condition on observing the measurement outcome Ma) is large. 

Note that a measurement outcome Ma is uniquely represented by a rank-1 POVM element of the 
form Ma = &>i £ A Mi, where each Mi is a POVM element acting on qubit i, that corresponds to one 
possible outcome of some measurement in the set L. 

We will now proceed as follows. First, we will show that, for every A and Ma, P*[Ma] is 
approximately tr(M/i)/2 m . Secondly, we will show that, for every A and Ma, TIu^^MaW = u] 2 
is small. (To show these claims, we will use large-deviation bounds for every fixed choice of A and 
Ma, followed by the union bound over all A and Ma-) Finally, we will combine these two claims to 
get a lower-bound on H 2 (JJ\Ma)- 

First, fix some subset of qubits Ac [n], of size \A\ = m. Let p be the mixed state presented to 
the adversary, p :— 2~ n J2ue\o 1}™ \E(u))(E(u)\, and let pa be the reduced state on the subset A, 

PA ■■= tr [nM (p) = 2~* Y, \E(u)a)(E(u) a \, where \E(u) A ) := (g) \a E(u)a ). (52) 

«e{o,i}™ a ^ A 

Note that Ee pa = I/2 m . We claim that, with high probability (over the choice of E), pa is close to 
the maximally mixed state 7/2 m , and hence any measurement outcome Ma on the subset A will be 
observed with probability approximately tr(Af^)/2 m . To show this, we will use the matrix Bernstein 
inequality [30 . 

For convenience, define H := X^ueto i>" H u , wnere H u := \E(u)) A (E(u)\ A . Note that Ee H = 
2 fi-mj and Ee Hu _ 2~ m I. Note that the H u are bounded: 

\\H U -E E H U \\ =max{l-2" m ,2" m } < 1 =: R. (53) 

The variance of H is described by 

E E [(H - E E H) 2 ] = E E [H 2 ] - (E E H) 2 

= e e [J2 H l + E H ^ - 4 "~ m/ 

u u=jtv 

= J2 e e [H 2 U ] + J2 e e [H u ] E E [H v ] - r- m I (54) 

U U^V 
cyfl — in j 1 I ATI nh\A—m J ATl—m j 

= 2"- m (l - 2 _m )7. 

In particular, note that 

a 2 := \\E E [{H - E E H) 2 ]\\ < T~ m . (55) 

Then the matrix Bernstein inequality [30j implies that, for any t > 0, 

Pr[||g-E g g||>f]<2-2'"expf- ^ 2 t [ 2 ^ > )=2-2'"expf- o , ofi _f , u \ (56) 



~E~"'~ ""ii- -j- - —*-y 2(a 2 + \Rt)J ' " """V 2(2™-™ + it) 
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Now set 

t := t y/^2^- m ^ 2 , for any i > 1. (57) 

Recall that < m < h — lgn. This implies that lgn < h — m, hence t < t Q \ /r n2^ rl ^ m ^ 2 < t 2 n ~ m , 

H < H 

3 1- - 3 l 



and hence 2™ m + ht < ^t 2 n m . Substituting into the above equation, we get that 



Pi[\\H-E E H\\ > <oV^2 ( "- m)/2 ] <2-2 m exp(-|i m). (58) 

E 

Recall that pa = 2~ n H, hence this implies a large-deviation bound for pa- 

Pt[\\ Pa - 2-' m I\\ > 2- f %y/^2 {fl - m)/2 } < 2 ■ 2 m exp(-ftoTO). (59) 

E 

Now use the union bound over all subsets A c [n] of size \A\ = m. (There are ( n ) < 2™ such 
sets.) So with probability > 1 — 2 n+m+1 exp(— |i m) (over the choice of E), we have that 

for all subsets A of size m, \\p A - 2~ m /|| < 2-%V^2 ( "- m)/2 = 2- m 2- (fi - m)/2 t Vm. (60) 

By setting t to be a sufficiently large constant, we can make the failure probability exponentially 
small in n. Finally, equation (|60[) implies that, for any subset A of size m, and any measurement 
outcome Ma, the probability of observing Ma (which is given by Pr[Mx] = tr(M A p A )) satisfies the 
bound 

\Pt[M A ] - 2~ m tr(M A )\ < 2- m tr(M A )2- (ft - m)/2 t Vm. (61) 

Next, fix some subset of qubits Ad [n], \A\ = m, and some measurement outcome Ma- We will 
use Bernstein's inequality to upper-bound the quantity 

F:= J2 F «> where F u := (tr(M A )y 2 Pr[M A \U = u} 2 . (62) 

ue{o,i} s 

Recall that Ma is a tensor product of rank-1 operators acting on single qubits, and so Ma/ ^(Ma) 
can be written in the form 



$£t = |^a><M where \$ A ) = (£) |^„>, |V>«> £ C 2 , (^ ) = 1. (63) 

So we can write 



tr(M A ) 



Fu=((E(u) A \^i IJ \E(u)A)) = \(i> A \E(u) A )\\ (64) 

First, we will calculate E E F = J2 u E eF u . Note that E E F u = T\ aeA \(ip a \E(u) a )\ 4 . We can 
upper-bound this as follows: 

E E [\(^ a \E(u) a )\ 4 ] = i[|(V>a|aoo)| 4 + KV'alaox)! 4 + |(^|a 10 )| 4 + |(^Ki}| 4 ] = |Wa|® a T|Va>® 2 , 

(65) 
where we define the matrix T e C 4x4 to be 

r := (]0><0|) +(|1)(1|) +(|+)(+|) +(h)(-|) • (66) 

Now write the spectral decomposition of T: 

T = |*+)(f+| +2|$+)($+| + |$")($-|, (67) 

where I**) = 4|(|01) ± |10)) and |$ ± ) = -^(|00) ± |11)) are the Bell states. Now write \ip a ) in the 
form \ijj a ) = a\0) + /3|1). This implies 

\i: a f 2 = V2a/3|*+) + -L (a 2 + /? 2 )|<1>+) + ^ (a 2 - p 2 )\^). (68) 
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Now we calculate 



(4, a f\2T)\^ a f 2 = 4|a| 2 |/f + 2{a 2 + /3 2 )> 2 + (3 2 ) + (a 2 /3 2 )> 2 - /? 2 ) 
= 4|a| 2 |/3| 2 + 3|a| 4 + (a 2 )* f3 2 + (/3 2 )*a 2 + 3\f3\ 4 
= 2(\a\ 2 + \f3\ 2 ) 2 + \a 2 + f3 2 \ 2 
<3(\a\ 2 + \f3\ 2 ) 2 =3. 



(69) 



This implies that E E [\(^ a \E(u) a }\ 4 ] < §, and hence E E F u < (|) m and E E F < 2 fi (|) m . 

In addition, we bound the variance of F u as follows (using the fact that < F u < 1): Var^ F u < 
^ E (F 2 )<E E F u <(lr. 

Now Bernstein's inequality [31] implies that, for all t > 0, 

PrfF>E B F + tl <expf — 4 5-). (70) 

e [ h v 2-2"(|) m + |ty v ' 

Recall that m < n/lg(|), and note that this implies 2 n (|) m > 1. Now set 

t = tip^f)" 1 ] 1 / 2 , for any h > 1. (71) 

This implies 2 • 2"(§) m + ft < (2 + |)ii2"(|) m . Substituting into the above equation, we get 

Pr[F > 2"(§r + £i[2"(fn 1 / 2 ] < exp(-fti). (72) 

Now take the union bound over all subsets A c [n] of size \A\ = m, and all measurement outcomes 
Ma that correspond to measurements chosen from the set L and performed on the qubits in the set 
A. (There are (™) < 2 n such sets, and {q\L\) m < (qO(l/e) 3q ) m < {qO(qn) 3c ') m < 2 ( qnl s( qn » such 
measurement outcomes.) Then, with probability > 1 — 2°( qnls ( qn >' exp(— |ii), we have that 

for all subsets A of size m, and all measurement outcomes M A , F < 2 fi (|) m + tr[2 h (\) m ] 1/2 . (73) 

By setting t± := Q(qnlg(qn)), we can make the failure probability exponentially small in n. 

Finally, we will combine equations ([BT]) and (|73|) to get a lower bound on H2(U\Ma)- For any A 
and Ma, we write 

2 -h 2 (u\m a] ^ J2 Pr[C7 = u\M A } 2 

mG{0,1}" 

= Pr[A/ A ]- 2 4-" J2 Pr[M A \U = u} 2 

ue{o,i} 

= Pr[M A ]- 2 4- fl (tr(M A )) 2 F 

< [2" m tr(M A )(l - 2-(™- m )/ 2 ioV^)] _2 4 _ "(tr(M A )) 2 [2"(|) m + i 1 [2"(|) m ] 1 / 2 

< 4 m (l - 2- ( ™- m)/2 t \/^) _2 4-™2™(|) m (l + h) 
<2- fi a) m O{qn\g{qn)). 



2 1 »,•,,.,• 1 / m-> r? (74) 



This implies 



H 2 (U\M A ) >n- mlg(|) - lg(0(gnlg(gn))) 



« n - (0.5850)m - lg(0(gn lg(gn))). 
This completes the proof of Lemma |2"U1 D 



(75) 



We now return to the proof of Theorem 12.81 Consider any strategy MeM'. We want to bound 
the mutual information 

I(U; Z) = I(U; Z h ..., m ) + I(U; Z m+x ,..., n \Zi,...,m)- (76) 
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We bound the first term using Lemma 12.91 First we write 

I(U; Z x m ) = H(U) - H(U\Zx,..., m ) 

<n- ^2 Pr[^i,...,m = Zx,..., m ]H(U\Zx,..., m = Zx,..., m ). ( 77 ) 

«l,..,m6[g] n 

For any particular string of measurement outcomes Zx,..., m G [<7]™ l j let A C [n] be the set of qubits 
that were measured, and let Ma be the corresponding POVM element. Then, by Lemma [2.91 we 
have 

H{U\Zx,..., m = Zx,...,m) > H 2 (U\Zx,...,m = Zl,...,m) 

>n-ng|Z|i_ 0(lgM) . < 78 > 

We bound the second term using Holevo's inequality |26j . First we write 

I(U]Z m +x,...,n\Zl,...,m)= 2_^i P r [Zx,...,m = Zx,...,m]I(U',Z m +x,...,n\Zx,...,m = Zx,...,m)- (79) 

zi,...,m€[q] m 

For any particular string of measurement outcomes Zx m G M™ 1 ; let A C [n] be the set of qubits 

that were measured, and let p(u) = Pr [U = u\Zx t ... >m = Zx,...,m]- Then we have 

r(U;Z m+ x,..., n \Zx,..., m = Zx,..., m )<s( J2 P( U )\ E ( U ))( E ( U )\[n]\ A ) - E ^)S(|£M)(£(«)I WV 4 

«e{o,i} fi «e{o,i} s 

<n-m<n- ]i( | 7 3 J + l. 

(80) 

Combining these bounds, we get 

I(U; Z)<h-h + ng0| + 0(lg(qn)) + n - ^ + 1 

<n-n|g^+0(lg(gn)) (81) 

wn-(0.2933)n + O(lg(gn)). 

□ 

3 One-time memories from isolated qubits 

A one-time memory (OTM) is a device that implements the following functionality [T]: one party 
(Alice) can write two messages s, t G {0,1} into the device, and then give the device to another 
party (Bob); after receiving the device, Bob can then choose to read either s or t, but not both. 
In typical applications, such as constructions of one-time programs, the two messages s and t are 
cryptographic keys, which are chosen independently at random. 

In this section, we will construct quantum devices which implement a slightly weakened variant 
of the OTM functionality. Our devices are based on "isolated qubits," i.e., honest parties need 
only LOCC operations in order to use the devices, and the devices are secure against malicious 
parties that are restricted to use one-pass LOCC measurement strategies. Our devices implement 
an "information-theoretic" variant of the OTM functionality, i.e., they are not computationally 
efficient, but they are secure against computationally-unbounded adversaries. Our devices also leak 
some information (a constant fraction of the message bits, which is bounded below 1); however, note 
that in typical applications such as one-time programs, the messages are independent cryptographic 
keys which are never re-used, and one can still achieve security by combining leaky OTM's with a 
leak- resistant encryption scheme |23j . 

We consider a system of n qubits, and set k w (0.3991)n. We construct a set of states \E(s,t)) 
(s, t G {0, 1} ) with the following properties: 
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1. The states \E(s,t)) are tensor products of pure single-qubit states. 

2. Suppose s and t are chosen uniformly at random. There exists a sequence of single-qubit 
projective measurements that can reconstruct s with high probability. Likewise, there exists a 
sequence of single-qubit projective measurements that can reconstruct t with high probability. 

3. Suppose s and t are chosen uniformly at random. No one-pass LOCC measurement strategy 
using 2-outcome measurements can recover more than « (1.9)fc bits of information about s and 
t. 

We construct the states \E(s,t)) as follows. First, choose a random map C : {0, 1} — > {0, l} n , 
i.e., for each s £ {0, 1} , choose C(s) € {0, 1} independently and uniformly at random. Similarly, 
choose a random map D : {0, 1} — > {0, 1}". Now define 

n 

\E(s,t)):=(g)\a c{s)aD(t)a ), (82) 

a=l 

where the single-qubit states |aoo)j 1 0:01)1 |oio), |on) are defined in the same way as in the previous 
section " 

|ooo) = |0), |o n ) = |l), |ooi) = ^(|0) + |l)), |aio) = ^(|0)-|l». (83) 

The states \E(s,t)) are reminiscent of Wiesner's conjugate coding [35], in that measuring in one 
basis reveals information about s, while measuring in another basis reveals information about t. Let 
us define the states 

|/V :=cos(0)|O)+siii(0)|l), 0GM. (84) 

Then measuring each qubit in the basis {\/3 v /$}, J/Sstt/s)} returns a "noisy" copy of the string C(s), 
which can be decoded to recover s (since, with high probability, C is a good error-correcting code). 
Likewise, measuring each qubit in the basis { /3_ w / 8 ), /Saws)} returns a "noisy" copy of the string 
D(t), which can be decoded to recover t. 

Wiesner pointed out that there exists a joint measurement on the n qubits that can recover both 
s and t; however, one may expect this measurement to be highly entangled, hence impossible to 
perform using only LOCC operations. We will give rigorous evidence that this is indeed the case. 

3.1 Correctness for honest parties 

First, we show that the honest strategies for recovering either s or t (as described above) do succeed 
with high probability. Without loss of generality, suppose we want to recover s. Let S and T 
be random variables, distributed independently and uniformly on {0, f } . We are given the state 
\E(S,T)), and we measure each qubit in the basis { W w /s), /?57r/8/}- Let Z be the random variable 
containing the string of measurement outcomes, i.e., Z takes values in {0, f} . It is easy to see that 
Z is the output of a binary symmetric channel BSC(p e ) applied to the string C(S), where the error 
probability p e is given by 

Pe := sin 2 (7r/8) w 0.1464. (85) 

Finally, we decode Z as follows: we output any string t e {0, 1} such that djy(C(i), Z) < r, where 
du denotes the Hamming distance. If there are multiple candidate strings t, we pick one of them in 
some arbitrary fashion. Let S be the random variable containing the output of this procedure. 
We set the parameters k and r as follows. First, we dchnc 

h{p):=- P lg( P )-(l-p)lg(l-p), (86) 

and we recall that the channel BSC(p e ) has capacity 1 — h(p e ) ~ 0.3991. Then we set 

k := n(l - h(p e )) - 0y/n, (87) 

where 9 > is some constant. Next, note that the expected number of errors introduced by the 
channel is np e . We set 

r := np e + Ts/n, (88) 
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where r > is some constant. 

We prove the following statement, which is essentially Shannon's noisy coding theorem for the 
binary symmetric channel, using an argument from (32) . This shows that, when we choose 9 and r 
to be sufficiently large constants, satisfying 9 > (2.5431)r, then with high probability over the choice 
of the random code C, Pr[S — S] is close to 1. 

Proposition 3.1. Fix any constants A > 1, r > and 9 > rh'(p e ). (Note that h'(p e ) « 2. 5431. ) 
Then for all sufficiently large n, the following statement holds: with probability > 1 — J- (over the 
choice of C), we have 

Pr[5 = S] > 1 - X[e- 2r2 + 2- e ^2 T ^ h ' { ^} . (89) 

Proof: We can view Pr[5 ^ S] as a random variable depending on the choice of the random code C. 
We then calculate E c Pr[5 ^ S"]. 

We can upper-bound Pr[S r ^ S) as follows: 

Pr[5 ^ S] < Pr[d H (C{S),Z) > r}+Pr[d H {C(S),Z) < r and 3t E {0, l} fe s.t. t jt S, d H (C(t),Z) < r] 

(90) 
Let N e be the number of errors introduced by the channel BSC(p e ), acting independently on the 
n bits of the string C(S). Then N e = dij{C(S),Z), EN e = np e , and by Hoeffding's inequality, 
Pr[iV e > r] < e~ 2T . So we have 

Pr[5 ^ S] < e- 2r2 + Pr[3t E {0, l} k s.t. t £ S, d H (C(t), Z) < r] 

= er 2T2 + 2~ k Y, Pr i 3t e i°> l } k B -*- l ¥* S, d H (C(t),Z) < r\S = s] 

s€{0,l} k 

< e- 2r2 +2- k J2 E Pr[d H {C(t), Z) < r\S = s] ( 91 ) 

se{o,i} fc te{oa} fc \{s} 

= e- 2 - 2 +2- k E E E nd H (C(t),z)<r}Pi[Z = z\S = s}. 

s£{0,l} k tG{0,l} fc \{s} ^£{0,1}" 

We now bound E^ Pr[S ^ S], taking the expectation over the choice of the random code C. Note 
that 

E c [l[dff(C(t), z) < r] Pr[Z = z\S = s}] = E c [l[d H (C(t), z) < r}] E c [Pr[Z = z\S = s}] , (92) 

since C(s) and C(t) are independent random variables (since s ^ t). We have the following bound: 

W 
E c [l[d H (C(t) lZ ) < r]] = Pr{d H (C(t),z) < r] = 2~"E ^ 2~ n 2 nh ( r / n \ (93) 

a=0 

where we used a tail inequality from [321 p. 39] (note that r < n/2, when n is sufficiently large). 
Hence, 

E c Pr[S ^S}< e- 2r2 + 2 k 2- n[1 - h(r l n ^. (94) 

Note that h is a concave function, so it satisfies the bound h(r/n) = h(p e + (r/y/n)) < h(p e ) + 
(T/y/n)h'(pe), where h'(p e ) ~ 2.5431. Plugging this in, and using equation (|87|) . we get that 

E r Pr\S ^ S]< e~ 2r2 + 2* : 2"" (1 "' l(Pe) " (T/ ^ Ar ^'( pc » 

2 (95) 

_ e -2r 2 , 2-0V"2 T v / "' 1 (Pe) 

We then use Markov's inequality to get the desired result. □ 
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3.2 Security against one-pass LOCC adversaries using 2-outcome mea- 
surements 

In this section we will upper-bound the amount of information that can be extracted from our OTM 
devices by any one-pass LOCC adversary using 2-outcome measurements. Our OTM states resemble 
the data-hiding states studied in Section^ but they pose some additional challenges. First, there are 
fewer OTM states (2 2fc states in dimension 2 n , where k sa (0.3991)n), hence the states are easier to 
distinguish. For comparison, there were 2 n data-hiding states in dimension 2", where n = n — 0(1). 

More importantly, the OTM states are much less "random": the construction uses only 2 • 2 fc 
independent random variables, consisting of the strings C(s) (for all s £ {0, 1} ) and D(t) (for all 
t £ {0, 1} ). As a result, the OTM states are not independent from one another; there are significant 
positive correlations among states \E(s,t)} that have the same s but different t. In contrast, recall 
that the data-hiding states were all chosen independently. 

As a result, the large-deviation bounds that we used in Section[5]are not as strong when applied in 
this setting, and neither of the proof techniques from Section [5] (i.e., entropy chaining and collision 
entropy) gives a nontrivial bound by itself. To get around this difficulty, we combine the two 
techniques in sequence. We use the collision entropy technique to analyze the first few steps taken 
by the adversary; then we use the entropy chaining technique to prove bounds on the adversary's 
subsequent steps. To deal with the correlations among the states \E(s, £)), we will use large deviation 
bounds for sums of locally dependent random variables [331 131] . 

Theorem 3.2. Let M be the set of all one-pass LOCC strategies that use 2-outcome single-qubit 
measurements. Then, with probability > 1 — e~ n ( n > (over the choice of C and D), the following 
statement holds: 

WWeM, I(Z;S,T)<(1.9190)k + O(y/nlogn), (96) 

where Z denotes the output of the strategy M . 

Proof: First, let L be an e-net for the set of single-qubit measurements with 2 outcomes where all 
POVM elements have rank 1, as described in Lemma \2 .41 and set e — l/(200n). Let M' be the set 
of all strategies that use measurements chosen from the set L. By Lemmas 12. 31 and |2.6[ any strategy 
in M can be approximated by one in M'. 

We will analyze the first to steps of any strategy in M', where 

to := |fc/lg(8/3)J « (0.7067)fc. (97) 

We will show the following bound: 

Lemma 3.3. With probability > 1 — e~ n ( n ' (over the choice of C and D), 

VMeM', Vz 1 ,..., m e{0,l} m , H 2 (S,T\Z lt ... jm = z x ,..., m ) > 2k -mlg(|) -lg(0(nlgrc)), (98) 

where Z\^,,, %m denotes the output of the first m steps of the strategy M., H2 denotes the Renyi collision 
entropy, and lg(|) ~ 0.5850. 

Remark: Equation (J98I) is equivalent to the following statement: 

for all subsets of qubits Ac [n], of size |^4| = to, 

for all possible measurement outcomes Ma, that can be obtained by measuring the qubits 

in A (using measurements chosen from the set L), 
H 2 (S,T\M A ) > 2fc - mlg(|) - lg(0(nlg»)). 

Recall that a measurement outcome Ma is uniquely represented by a rank-1 POVM element of the 
form Ma = &>i e A Mi, where each Mi is a POVM element acting on qubit i, that corresponds to one 
possible outcome of some measurement in the set L. 



Proof (of Lemma l3.3[) : First, we will show that, for every A and Ma, Pr[Myi] is approximately 
tr(M A )/2 m . Secondly, we will show that, for every A and M A , J2 u Pt I M a\S = s,T = t} 2 is small. 
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(To show these claims, we will use large-deviation bounds for every fixed choice of A and M A , 
followed by the union bound over all A and M A .) Finally, we will combine these two claims to get 
a lower-bound on H%{S, T\M A ). 

First, fix some subset of qubits A c [n], of size \A\ = m, and fix some measurement outcome 
Ma- Let p be the mixed state presented to the adversary, p := 4~ fc ^ s te , n 1 i fc \E(s,t))(E(s, t)\, and 
let pA be the reduced state on the subset A, 

PA := tr [nM (p) = 4- fc Y, \E(s,t) A )(E(s,t) A \, where \E(s,t) A ) := (g) |a c(s)aD(t)a ). (99) 

MS{0,l} fc aeA 

Recall that M A is a tensor product of rank-1 operators acting on single qubits. Moreover, since the 
adversary uses single-qubit measurements with 2 outcomes, each measurement outcome is a rank-1 
projector. So ti(M A ) = 1, and Ma can be written in the form 

M A = IVuXVul, where \$ A ) = (g) |V>„>, \if> a ) € C 2 , (^ |^ > = 1. (100) 

We will use Bernstein's inequality for locally dependent random variables 33 to lower-bound the 
quantity 

Pt[M a ] = tr(M APA ) = 4- fc £ |(^ a |£(M)a)| 2 . (101) 

s,te{0,l} fe 

For convenience, let us define the random variables 

H:= J2 H sU H st :=\{tp A \E(s,t) A }\ 2 . (102) 

s,t£{0A} k 

We can calculate their expectation values: 

^coH st = J] E CD [|(V> Q |£(M)a)| 2 ] = 2" ro , (103) 

aeA 

hence Ep^ iJ = 4 fc 2~ m . We can also bound their variances: 

Vzr CD H st < E CD [H%] = J] E CD [\(^ a \E(s,t) a )\ 4 } < (§)"\ (104) 

aeA 

where in the last step we re- used the argument shown in equations (|65[) - (|69[) in the proof of Lemma 



We claim that the dependency graph T of the random variables H st (s,t £ {0, 1} ) has chromatic 
number %(r) < 2 fc . To see this, note that two vertices (s,t) and (s',t r ) in T are adjacent if and 
only if s = $' or t = t'. We can color the vertices of T as follows: assign each vertex (s, t) the color 
specified by the string s © t £ {0, 1} (where © denotes bitwise XOR). It is easy to check that this 
is a legal coloring, which uses 2 fc colors. 

Using Bernstein's inequality for locally dependent random variables [33], we get that for all r > 0, 



Pr [H < E CD H - t] <exp, , , ., . 

CD 1 ~ V 25-2 fc (4 fe (f) m + ±T) 



° XP ( 25-2 fc max{2.(§) fc (§) fe -™§T}J ''"^ 



dexpi - 



At 2 \ ( 12r 

exp 



25-3 fc (|) fc -™y' V 25-2 fe r 

Now set 

t := 4 k 2-' n k- 1 = 2 k 2 k - m k~ 1 , (106) 
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which implies 

Pr{H < 4 fe 2- m (l - A;- 1 )] < max{exp(-4(f ) fe (f) fe - m fc- 2 ), e xp(-i§2 A; ~ m fc- 1 )}. (107) 

Now take the union bound over all subsets A C [n] of size \A\ — to, and all measurement outcomes 
Ma that correspond to measurements chosen from the set L and performed on the qubits in the set A. 
(There are (™) < 2 n such sets, and (2|L|) m < (0(l/e 2 )) m < (0(n 2 )) m < 2 ( nl s™) such measurement 
outcomes.) So, with probability > l-2°(" 1 s™) •max{exp(-^(|)' £ (|)' £ - m A:- 2 ), exp(-i§2 fe - m /c- 1 )} 
(over the choice of C and D), we have that: 

for all subsets A of size to, and all measurement outcomes Ma, 

(108) 
H > 4 fc 2~ m (l - AT 1 ), and hence, Pr[M A ] > 2" m (l - fc^ 1 ). 

Recall that m < (0.7061)fc, and k w (0.3991)n; this implies that the failure probability is doubly- 
exponentially small in n. 

Next, fix some subset of qubits A C [n], \A\ — to, and some measurement outcome Ma = 
\4 ! a)(4>a\, as before. We will now upper-bound the quantity 

F:= J2 F ^> where F st :=PrlM A \S = s,T = t] 2 = \(iP A \E{ S ,t) A )\ 4 . (109) 

s,te{o,i} k 

First, note that Ecd F st < (|) m and 1&cd F < 4 fc (|) m , by the same argument shown in equations 
(ffi5l) - (p9")) in the proof of Lemma [2.91 In addition, since < F st < 1, we have that V&tcd Fst < 
EcD(F 2 t )<Ec D F st <(lr. 

Now Bernstein's inequality for locally dependent random variables |33j implies that, for all r > 0, 

Pi-[F>E C dF + t}<cxp( -^- =—). (110) 

cd [ L ' u V 25-2 fc (4 fc (|) m + ir)y v ' 

Recall that to < fc/lg(|), and note that this implies 2 fc (|) m > 1. Now set 

T = Ti4 fc (|) m , for any n > 1. (Ill) 

This implies 4 fc (|) m + \t < (1 + l)Ti4 fe (|) m = §t. Substituting into the above equation, we get 

Pr[F > 4 fe (|) m (l + n)] < exp(- ^n2*(|n < exp(- ± n ). (112) 

Now take the union bound over all subsets A C [n] of size \A\ — to, and all measurement outcomes 
Ma that correspond to measurements chosen from the set L and performed on the qubits in the set 
A. Then, with probability > 1 - 2°( nlg ™) exp(-^n), we have that: 

for all subsets A of size to, and all measurement outcomes Ma, F < 4 '(|)™ l (l + n). (H3) 

By setting n := Q(n\gn), we can make the failure probability exponentially small in n. 

Finally, we will combine equations (|108j) and ()113[) . to get a lower bound on Hz(S,T\Ma)- For 
any A and Ma, we write 

2 -h 2 (S,t\m a ) = ^ Pr[S = S ,T = t\M A } 2 
s,te{o,i} k 

= Pr[M A ]- 2 4- 2fc Yl Pi ~I m a\S = s,T = tf 

s,te{o,i} k (114) 

= Pr[Af A ]" 2 4" 2fe J F 
< [2- m (l - fc- 1 )]- 2 4- 2fc 4 fc (|) m (l + ti) 

_ a— kf3\m 1+ti 
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This implies 



H 2 {S, T\M A ) >2k~m lg(|) - lg(l + ri) + 2 lg(l - fc" 1 ) 
> 2k - mlg(|) - lg(0(nlgn)). 



(115) 



This completes the proof of Lemma 13.31 □ 



We now return to the proof of Theorem 13.21 Consider any measurement strategy M. € M', and 
let Z be its output. We will upper-bound the amount of information extracted during the first m 
steps, using Lemma [ 



I(S, T; Zi,..., m ) = H(S, T) - H(S, T|Z W . 






< H{S, T) - \ Pr[^i,..., m = ^i m]^ 2 (^ T|Zi m = zi, 






z i, 



<2k- [2k - rolg(§) - lg(0(nlgn))] ^ 116 ^ 

= mlg(|)+lg(0(nlgn)) 

= fcft[0§ + lg(O(nlgn)). 

Next, we will analyze the subsequent steps of the adversary. First, let us fix some subset of qubits 
A C [n], of size \A\ = m, and some measurement outcome Ma', these represent past actions of the 
adversary during its first m steps. We will then upper-bound the amount of information gained by 
the adversary in the next m steps, conditioned on Ma- Finally, we will use the union bound to show 
that this result holds simultaneously for all choices of A and Ma ■ 

To simplify the notation, let us define h := H%{S, T\Ma), and p s t '■= Pr[5 = s,T = £|Ma]; so we 
have 

E Ptt<2- h - (H7) 

s,t£{0,l} k 

Note that h and p s t depend only on the qubits in the set A; so they only depend on those random 
variables C(s) a and D(t) a with a € A. As shown above, with probability > 1 — er n ^ (over this 
subset of the random variables C and D), 

/i>2fc-mlg(§)-lg(0(nlgn)). (118) 

We will look at the next m steps of the adversary, and we set 

rh:= [h-k\ > jfe-mlg(f) - lg(0(nlgn)). (119) 

More precisely, we let M be the set of all possible measurement strategies that an adversary in M' 
may follow for the next rh steps, after having received measurement outcome Ma on the first m 
steps. We let Z :— (Z m +i, . . . , Zm+m) be the output of the adversary on the next rh steps. Note 
that this depends only on the qubits outside the set A; so it only depends on those random variables 
C(s) a and D(t) a with a £ A. We refer to this subset of random variables as C and D. We show the 
following lemma: 

Lemma 3.4. Fix a particular subset of qubits A and a particular measurement outcome Ma, as 
described above. Let to > and u > 1. With probability > 1 — cxp(— 2tg) — 2 • 2~" (over the choice 
of C and D), the following statement holds: 

\JMeM, I(Z-S,T\M A )<^ + ^+u-0(^[7i). (120) 

Proof: We want to upper-bound the quantity 

I{Z-S,T\M A ) = H(Z\M A ) - H(Z\S,T,M A ). (121) 
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We know that H[Z\Ma) < rh, since the adversary uses 2-outcome measurements. We now want to 
lower-bound H(Z\S,T,M A ). For any M € M, we define 

Q M :=H(Z\S,T,M A ), (122) 

which is a random variable depending on C and D. Note that we can write 

Qm= J2 PstH{Z\S = s,T = t,M A ). (123) 

s : t£{0,l} k 

Let hm '■= ^cb Qm) we w iU prove a lower bound for ^m below. We will then use entropy chaining 
(Lemma IC.1|) to lower-bound the quantity 

MJQm-Vm)- (124) 

MeM 

First, we evaluate \xm- Using the same argument as in the proof of Theorem 12. 7\ we get that 

fi M > fh/2. (125) 

We now show several technical facts which arc needed in order to apply the entropy chaining 
argument (Lemma IC.1|) . First, fix some particular strategy Mo € M. We will show that Qm is 
tightly concentrated around its mean. Observe that Qm is a sum of 4 k random variables, and recall 
that their dependency graph T has chromatic number x(F) < 2 . Using Hoeffding's inequality for 
locally dependent random variables [33, 3T], we get that 



/ 2t 2 \ I 2t 2 ■ 2" l \ 
Pr[Q Mo <M^ -*]<exp(-- r ^ 7 — = exp ^^) (Vi > 0), (126) 



Pr 

CD 



2t 2 \ ( 2t 2 ■ T 

cd V 2 k }^ st {p st m)^ 

or equivalently 

Q Mo < »Mo - |^y < «q>(-2*g), (Vto > 0). (127) 

Next, we show that when two strategies M. and M! are "similar," the random variables Qm 
and Qm' are positively correlated. In particular, suppose that M. and M' behave identically for 
the first I steps. Let Z\^... t m and Z' x A be the output of these two strategies; then (Zi t, U) and 
(Z[ £l U) have the same distribution. So we can write 

Qm — Qm' = H{Ze+i ! ...,m\Zi,...j,S,T,MA) — H(Z i+1< , t fh\Z lt ...^ £, T, Ma) 

= J2 Pst [H(Z e+1 _ fn \Z h ... ie , S = s,T = t, M A ) - H{Z' e+1 _ fn \Zl^ S = s,T = t, M A )}, 
s,te{o,i} k 

(128) 

which again is a sum of 4 fe locally-dependent random variables. By Hoeffding's inequality (with local 
dependencies), 

/ 2t 2 \ ft 2 - 2™ \ 

Pr [Qm - Q M . „ M + ^ > t] < ™P{- 2kEJpst . 2{rh „ eW ) = e H-2{^W ) ■ (129) 

We can rewrite this bound in terms of a metric d that measures the "distance" between strategies. 
We define d as follows: |3 

d(M,M'):=V2-2-™/ 2 (m-t(M,M')), where (130) 



9 Note that d is indeed a metric: It is easy to see that d(M,M') > 0, with equality iff M = M' '. Also, clearly 
d(M, M') — d(M',M). It remains to show that d(M,M") < d(M,M') + d(M',M"). We consider two cases. On one 
hand, if M' satisfies £(M,M') < £{M,M") or £(M',M") < £(M,M"), then the claim follows immediately. On the 
other hand, if M' satisfies £(M,M') > £(M,M") and l(M' , M") > £(M,M"), then this is impossible, since M and 
M" do not agree at step £{M,M") + 1; hence this case cannot occur. 
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£{M,M') := max{£ | < £ < m, and M and M' behave identically on steps 1,2, . . . ,£}. (131) 
We then have 



t 

cd V d(M,M) 



YliQM -Qm' - Ma-i + liM' >t}< exp(- ^ A/< A/< ,, 2 ). (132) 



Next, we bound the covering numbers of M with respect to the metric d, and we bound the 
integral appearing in Lemma IC. II ("Dudley's entropy integral"). Using the same argument as in the 
proof of Theorem 12.71 we get that 

S < O(^logn). (133) 

Finally, using Lemma [C.ll we have that: for all to > and u > 1, with probability > 1 — 
exp(-2t$) - 2 ■ 2~ u \ the following holds: 

VMeM,O w -^>-^^S. (134) 

This implies 

VA4 e M, Qm > y - |gt - u • 0(v/ioi^). (135) 

Hence 

VMeM, I{Z-S 1 T\M A )<^ + ^+u-0{^[^). (136) 

This proves the claim. □ 

We now return to the proof of Theorem l3.2l We take the union bound over all subsets A c [n] of 
size \A\ = m, and all measurement outcomes Ma that correspond to measurements chosen from the 
set L and performed on the qubits in the set A. Then, with probability > 1 — 2 (™ lg ™) • exp(— 2£q) — 
2 0(nig«) . 2 . 2 -« 2 : we have that: 

for all subsets A of size m, and all measurement outcomes Ma, 

m s, t\m a ) < I + ^ + u ■ o(v^i^). (137) 

By setting to " Q(\/n\ogn) and u := 0(V?^log n), we can make the failure probability exponentially 
small in n. 

Hence, for any measurement strategy M. € M', with output Z, and any sequence of measurement 
outcomes zi,..., m , we have 

TTl 

I{Z m +i,...,m+m\S,T\Zi^ m = zi,... <m ) < — +0{y/n\ogn), (138) 

and hence 

TTl 

I{Z m+lt ,.., m+fh -S,T\Z lt ... <m ) < -+0(V^logn). (139) 

Finally, we consider the remaining steps of the adversary. Using Holevo's inequality [26] (see the 
proof of Theorem I2.8[) , we get that 

I(Z m+ rh + i t ... tn ; S,T\Z lt ... im+r n) < n ~ m - fn. (140) 

Combining equations (|116l) . (|139l) and (I140p . we get that 

I(Z; S, T) < mlg(|) + lg(0(n lg n)) + \fa + 0(y/nlog n)+n-m-fh 
= n — mlg(|) — \fa + 0(\fn\ogn). 

From equations ([87]) . (|97| and (fTT9l) . we have that 

n<T=j^ + O(Vn)«(2.5056)fc + O(Vn), (142) 
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m =LTiW3)J«L(°- 7067 ) fc J' ( 143 ) 

m> k — mlg(|) — lg(0(nlgn)) 

>k- k -^§fi -lg(0(nlgn)) (144) 

« (0.5866)fc-lg(O(ralgn)). 
Combining these bounds, we get that 

I(Z;S,T)< (1.9190)fc+O(Vnlogn), (145) 

as desired. D 
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A High success probability implies high mutual information 

Lemma A.l (restatement of Lemma 12. 2| . Suppose that Pr[Z = U] > 1 — e, and e is sufficiently 
small that2^/e + 2-' h < 1/e. Then I(Z;U) > (1 - 5V?)n - f]{2^e), where n(x) :=-x\gX. 

Proof: First, we claim that, for most u £ {0, 1}™, Pr[Z = u\U = u] is close to 1. To see this, suppose 
u is chosen uniformly at random in {0, 1}™, and define 7(w) := 1 — Pr[Z = u\U = u\. Note that 
j(u) > and 

E «[70)] = 2 ~" Yl ( 1 - pr [^ = u\U = u\) = l-Pr[Z = U] <e. (146) 

ue{o,i} s 

By Markov's inequality, for any C > 1, Vy u [^(u) > Ce] < h. Therefore, there exists a subset 
S C {0, 1}™ of size |5| > 2"(1 - £), such that for all ueS, 

Pr[Z = u\U = u]>l-Ce. (147) 
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We need to choose C such that both A and Ce are small. For concreteness, we set C = -4=, which 
implies that i = y 7 ? = Ce. 

We now show that H(Z\U) is small. We write H(Z\U) = 2"™^ue{o i}« H ( Z \U = u), and we 
upper-bound H(Z\U = u). First, consider the case where u £ S. We bound the total-variation 
distance between the random variables Z\u =u and U\jj— u as follows: (note that U\u =u equals u with 
probability 1) 

A(.Z|tf=», U\ v =u) = |Pr[2 = u|J7 = «] - 1| + ^ |Pr[Z - z|[/ - u] - 0| 

= 1 - Pr[Z = u\U = u}+ Pr[Z / u\U = u] (148) 

= 2(1 - Pr[Z = u\U = u}) 
< 2C'e = 2y/e. 
Using Fannes' inequality [3S] (note that 2^/e < 1/e), we get that 

H{Z\U = u) = \H(Z\U = u)-H(U\U = u)\ < 2^/e ■ n + r/{2y/e). (149) 

Next, consider the case where u ^ S. Here we use the trivial bound, H(Z\U = u) < n. We now 
bound H(Z\U) as follows: 

H(Z\U) < 2" s |5|(2Vi • n + rj(2y/£)) + 2-™|S* c |n. (150) 

The right-hand side is largest when |5| = 2 n (l — y/e), so we get 

H{Z\U) < (1 - y/e){2yfe ■ n + r,(2^)) + V~e • h 

,- r- 151 

<3V^-r"i + ??(2V£)- 

Next, we observe that, for most z £ {0, 1}", Pr[Z = z] is not much smaller than 2~ n . More 
precisely, for all z G S, we have a lower bound: 

Pr[Z = z}> 2"™Pr[Z = z\U = z] > 2""(1 - y/e). (152) 

We also show a (loose) upper-bound on Pr[Z = z], when z £ S, as follows: 

Pr[Z = z] = 2~™ Y^ Pr[Z = z\U = u] 

ue{o,i} B (153) 

< 2-"|S"\{z}|Vi + 2-™ + 2-™|S* c | 

The right-hand side is largest when \S\ = 2 n (l — y/e), so we get 

Pl[Z = Z] < (1 - y/e) y/l + 2-" + y/i 

_ . (154) 

<2Vi>2-". 

Finally, we will show that H(Z) is large. First, we write 

H(Z)>J2v(PiiZ = z}). (155) 

zSS 

Note that rj(x) := — x\gx is increasing on the interval [0, 1/e]. From the previous paragraph, we 
know that for all z £ S, we have 2~™(1 - y/e) < Pr[Z = z] < 2y/e + 2~™ < 1/e. So we can write 

ff(Z)>5>(2-*(l-Vi)) 

= |5|2- fl (l-Vi)(-l)lg(2- fi (l- > /i)) (156) 

>(l-V^) 2 (n-W-V^)) 

>{l-2y/e)n. 

Finally, we combine equations (1151[) and (J156I) to get the desired lower bound on I(Z; U) = 

h(z)-h(z\u). a 
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B Discretization of a full LOCC strategy 

Lemma B.l (restatement of Lemma I2.6[) . Let M be any n-party LOCC strategy with output Z, 
where each party holds a single qubit, uses q-outcome measurements, and measures each qubit at 
most once, and where all POVM elements have rank 1. Fix some < s < l/(qne), and let L be the 
e-net for S defined above. Let M! be the n-party LOCC strategy, with output Z' , that is obtained 
by duplicating the strategy M., and replacing each measurement M G S with the best approximating 
measurement M € L. Then 

\I(Z'; U) - I(Z; U)\ < 2qn 2 e + 2r](qne), (157) 

where rj(x) :— — x\gx. 

Proof: For any u £ {0, 1} , let Z\jj =u be the random variable Z conditioned on the event U = u; 
define Z'\jj =u similarly. We will show that Z\u =u and Z'\jj =u have nearly the same distribution, 
compared using total variation distance (denoted A(-, •)). To see this, let us define a sequence of 
strategies that interpolate between A4 and M! ' . For a — 0, 1, 2, . . . , n, we define a strategy M.^ 
(whose output is denoted Z^) that does the same measurements as M' for steps 1, 2, . . . , a, and does 
the same measurements as M for steps a + 1, a + 2, . . . ,n. Note that M.^ = M. and MS") = A4', 
and we have 

n-l 

A(Z\ u=u ,Z'\u= u ) <J2&(Z (a) \v=u,Z( a+ V\u= u ). (158) 

a=0 

We now want to bound 

A(ZW| [/=U ,^° +1 )| [/=U )= J2 \PT{Z {a) =z\U = u}-Pi-{Z( a+ V=z\U = u}\. (159) 

z£[q]" 

The state of the n qubits is given by \E(u)) — (^)™ =1 \c*E(u) a )\ to simplify notation, let us call this 
state \ip) = <S)™=i iV'a)- We will use the following notation: the strategy M. is described by POVM 
elements Mi(z<i), with the choice of which qubit to measure next being specified by Qi(z < i); the 
strategy M! is described by slightly different POVM elements M[(z<i), and the same qubit choices 
Qi(z < i). Then we can write 

a n 

Pr[Z( a )=z|C/ = U ]=n<^ Qi(2<i) |M;(z< J )|V Q ,( z < I ))- II (^Q^<A M ^ Z <^Q^<,))- ( 160 ) 

i—1 i— a+1 

Hence 

a 

A(Z^\u= u ,Z^\ u=u )= ]T n<^<*)l^<*)|^Q,( z <,))- 

Z6 [g]»»=l 

|('0Q a+1 (z <a+1 )|[^a+l(^<a+l) - M'a+l( z <a+l)]\lpQ a + 1 (z <a+1 )) 
n 

II (^Qi(*<i)\ M i( Z <i)\^Qi(*<i)) 
i=a+2 

(161) 

Now we can use the bound ||M a+ i(z< a+ i) — Af^ +1 (z< a+ i)|| < e, and we can evaluate the sum over 
z, using the fact that for any z<i, J2 Z - ^i( z <i) = I (and similarly for M|(^<j)). We get that 

A(Z^\ u=u ,Z^ + ^\ u=u )<qe, (162) 

and therefore 

A(Z\u= u ,Z'\ u=u )<qns, (163) 
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which shows that Z\\j— U and Z'\u— U have nearly identical distributions, as desired. 

In the remainder of the proof, we will bound the difference between I{Z\ U) and I(Z'; U). First, 
using (the classical case of) Fannes' inequality [55], and assuming qne < 1/e, we get that 

\H(Z\U = u) - H{Z'\U = u)\< qn 2 e + r,{qne), (164) 

where rj(x) := — rrrgir. This implies 

\H{Z\U)-H(Z'\U)\ = |2~ fi J2 (H(Z\U = u)-H(Z'\U = u))\<qn 2 e + if(qne). (165) 

«e{o,i}" 

Next, we can bound the total variation distance between Z and Z' as follows: 

A(Z, Z') = J2 |2~ fi ^ (Pr[Z = z|C/ = u]-Pr[Z'=z|t/ = u])| 

z£[q] n «e{0,l} fi 

<2"« ^ A(Z| U=U) ZV= U ) ( 166 ) 

ue{o,i} s 
< gne. 

Then, by Fannes' inequality, 

\H{Z)-H{Z')\ <qn 2 e + rf{qne). (167) 

Combining these bounds, we get 

\I{Z- U) - I(Z'; U)\ < 2qn 2 e + 2r)(qne), (168) 

as desired. □ 

C Entropy chaining 

We prove a variant of Dudley's inequality, for bounding the expected supremum of a family of 
correlated random variables, Esup t X 4 , using entropy chaining. Our claim is a slight generalization 
of the usual statement of Dudley's inequality, in that it allows the random variables X t to have 
different means; also, we state our result as a tail bound on sup t X t , which is stronger than the usual 
form of Dudley's inequality. Nonetheless, the proof is more or less the same as the usual one; see, 
e.g., [22| . 

Lemma C.l (Dudley's inequality tail bound). Let {X t \ t G T} be a family of random variables 
taking values in R. Define fit := EX t . 

Let d(-, •) be a metric on the set T , such that the following "increment condition" holds: 

Vy[X s -X t -n s + n t > u] <exp{~u 2 /d(s,t) 2 ) 7 Vs,iGT, Vw > 0. (169) 

(Note that, by exchanging s and t, this also implies a similar bound on the lower tail of X s — X t .) 
Also, suppose that, for any sequence S\, §2, S3, ... 6 T, and any t € T, if limj-yoo d(sj, t) — 0, then 
lim^oo fj, 8j = fi t ■ 

Suppose there exist to £ T and 8,e > 0, such that Pr[X to — fit a > 8] < e. Then we have the 
following bound: 

Pr[sup(X 4 - /it) > 8 + uS] < e + 2 • 2~ u2 , Vw > 1, (170) 



whe 



3C 



S < C Q / y/log N(T,d,e)de, (171) 

Jo 

Co is a numerical constant, and N(T,d,e) is the covering number, i.e., the minimum cardinality of 
an e-net for the set T with respect to the metric d(-, •). 
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By applying the same argument to the random variables {— X t \ t G T}, we also have a lower 
bound. Suppose there exist to G T and 5, e > 0, such that Pr[X to — Ht < —6] < e. Then: 

Pr[M(X t ~ fr) <-S-uS] <e + 2- 2- u \ Vu > 1. (172) 

Proof: We use a standard entropy chaining argument [25]. Fix some r > 2, and choose some integer 
jo such that r _ 0'o+i) <- dia^y) < r -io. For all j > jo, we will construct sets IL, c T and maps 
ttj : T — > IX, that have the following properties: 

7T io (t)=t 0) VieT, (173) 

lim d{irj(t),t) = 0, Vi G T, (174) 

d(7T ] (t),7r^ 1 (t))<2r-^- 1 \ ViGT, Vj > jo + 1. (175) 

(Intuitively, for each t G T, the sequence of points {^j{t) \ j — jo, jo + 1, jo + 2, . . .} starts at to and 
quickly converges to t.) Also note that equation (11741) implies that 

lim fi Wj M = IH, VteT, (176) 

J-S-OO 

We will construct the sets II j and maps itj later. In the mean time, note that 

x t -x to = 22 x *j{t) — X-itj-iit), ( 177 ) 

(H-fH = 2-j ^j(t) - ^j-i(t)- (178) 

J>JO+l 

Fix any real numbers aj > (for all j > jo + 1). (We will choose values for the a,j later.) Define 
S := X)i>j +i a j' an d nx an y u > 0. Note that, for any t G T, if 

^■(i) - ^-iCt) < /^(t) - M^-i(t) + woj, Vj > jo + 1, (179) 

then X t — X to < /Xj — /Zt + uS. Moreover, using the increment condition (I169p . we have that 

Pi[X w . (t) - X„._ l(t) > ^. {t) - n w ._ l(t) + Uaj ] < exp{-u 2 a 2 3 /(2r-^- i yf). (180) 

Hence, using the union bound, we get that 

Pr[3t G T s.t. X t - X to > m ~ IMo + uS] 

< Pr[3t G T, 3j > jo + 1, s.t. X Wi( t) - X^._ l(A > ^ j(t) - fi Wi _^ t ) + wo,-] 

< J2 |n j ||n,- 1 |exp(- U 2 aj 2 /(2r- ( ^ 1) ) 2 ). 

Now set a,j := 2r~( J ~ 1) ^log(2-?~-? \Uj ||IIj_i|), and assume that u 2 > 1. Then we have 
Pr[3t G T s.t. X t - X t0 > fit- (Mo + uS] 

< £ IHilin,--! |(2*-* \iljI\ilj_i |)-" 2 

i>io+i 



(181) 



oo 

< r"T2^ < 2-2~ n2 . 

a=0 
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OO 

(182) 



We can rewrite this as Pr[sup teT (X t — fi t ) > X to — /i to +uS] < 2-2 " . This now implies the claimed 
bound (|170[k and by applying the same argument to the random variables {—X t \ t <G T}, we also 
get the bound (fT72"|) . 

It remains to construct the sets IT,- and maps ttj, and prove the upper bound on S shown in 
(|17ip . For each j > jo, we choose the set IX,- to be an £-net for the set T, with e = r~ 3 , and with 
respect to the metric d(-, •). In particular, we choose Hj to be an e-net of minimum cardinality, so 
that |IIj| = TV^T, d, j" - - 7 ). For notational convenience, we define Nj :— \Hj\- In the case of j = jo, 
we let Hj — {to}, recalling that diam(T) < r~ J °. We define itj to be the map that, given any point 
t E T, returns the nearest point in IT,; hence, d{iij{t),t) < r~K Note that equations (|173|) and (1174)) 
are satisfied, and (|175p follows from the triangle inequality. 

We upper-bound S as follows: 



= E °i= E 2r-^- 1 ) v /log(2^ J oiV J ^_ 1 ) 
j>jo+i i>io+i 

< Y, tr-V-V (V(j - Jo) log 2 + v/fogl^ + y/log Nj-^ 



oo 



(183) 



- r ~ j " E 2r ~ (j_1) Vi log 2 + (r + 1) Y 2r~ j y/log Nj 

3—1 3>30 

= r' jo K(r) + (r + 1) E 2r ~ j \Z lo S N j> 

3>3a 



where we used the fact that \fa + b < yfa + \fb (for all a,b > 0), and we defined K{r) := 
E^Li 2r-^- 1 Vjlog2. Next, recall that diam(T) > r~^ 0+1) > 2r~^ 0+2 \ and hence iV io+2 > 2. So 
we can write 

^(0P +r+ Oj> _V1 ^ (184) 

We will now replace the sum on the right hand side by an integral. Note that, for any e < r~ 3 , we 
have N(T, d, e) > Nj. So we can write 



and hence 



y/log N{T,d,e)de > (1 - i)r~ J A /toglvJ, (185) 

S< (0= +r+ l)-2(l- i)- 1 f Vlog N(T,d,e)de. (186) 

Note that we can extend the integral over the interval [0, oo) without weakening the bound; for when 
e > r~3°, we have N(T,d,e) = 1, hence y/ log N(T, d,e) — 0. Now set r > 2 to be some numerical 
constant. This proves equation (|17ip . □ 
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